Add more permissions#26
Conversation
kevinbackhouse
requested review from
JarLob,
p- and
sylwia-budzynska
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR updates the permissions configuration in the smoketest workflow to align with the recommended permissions for the branch-deploy action. It adds several necessary permissions for proper IssueOps functionality.
Key Changes:
- Expanded permissions from 2 to 5 entries to support full branch-deploy capabilities
- Added documentation comment explaining the purpose and source of the permission requirements
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| pull-requests: write # For adding a reaction to the comment | ||
| pull-requests: write # Required for commenting on PRs | ||
| deployments: write # Required for updating deployment statuses | ||
| contents: write # Required for reading/writing the lock file |
There was a problem hiding this comment.
[nitpick] The comment states 'reading/writing' but the permission is 'write'. Consider clarifying that 'write' permission includes read access, or simplify to 'Required for writing the lock file' to match the permission level.
| contents: write # Required for reading/writing the lock file | |
| contents: write # Required for writing the lock file |
|
Should we add a check so that only code owners can trigger this? |
| pull-requests: write # For adding a reaction to the comment | ||
| pull-requests: write # Required for commenting on PRs | ||
| deployments: write # Required for updating deployment statuses | ||
| contents: write # Required for reading/writing the lock file |
There was a problem hiding this comment.
This makes me wonder if we really need the workflow. On one hand it is carefully reviewed IssueOps, on the other hand it is a potentially untrusted code running with high privileges...
There was a problem hiding this comment.
Or trigger it only on release or push instead of issue comment? The tests are running on the base code and not head anyway, so I don't see why it should be on issue comment. And if it runs on head then we definitely need to restrict it. It's not very clear to me when we want to run this workflow.
There was a problem hiding this comment.
The idea is that the branch-deploy action makes this safe to trigger with an issue comment. It's the solution that we've been recommending to other open source maintainers.
I intended this to run on the code from the PR, not the base code. That was a mistake.
There was a problem hiding this comment.
Good catch, I didn't notice it checkouts the main instead of steps.branch-deploy.outputs.sha. @kevinbackhouse could you remind us what is the purpose of the workflow?
There was a problem hiding this comment.
It's for testing that the examples still work. It needs the COPILOT_TOKEN secret so a standard pull-request trigger doesn't work. I figure we could run it on-demand by adding a comment to a PR.
There was a problem hiding this comment.
I've updated it to use github.head_ref.
3 participants
Add all of these recommended permissions:
https://github.com/github/branch-deploy/blob/48285b12b35e47e2dde0c27d2abb33daa846d98b/README.md?plain=1#L189-L197